Fair Use: Please note that use of the Netcraft site is
subject to our Fair Use and Copyright policies. For more information,
please visit http://www.netcraft.com/about-netcraft/fair-use-copyright/,
or email info@netcraft.com.

Widespread vulnerabilities found in programs which use OpenSSL

New vulnerabilities were discovered yesterday in multiple programs using OpenSSL, one of the standard cryptography libraries on Linux and Unix systems. Due to a common mistake in checking return values from functions checking digital signatures, several programs may be vulnerable to spoofing of digital signatures.

The most important affected program is ISC Bind, which is the most widely used DNS server on the internet. A flaw in its validation of signatures on DNSSEC replies means that the server may be vulnerable to DNS spoofing attacks even where DNSSEC is in use. Bind have released BIND 9.6.0-P1 this morning to fix this bug.

OpenSSL's developers also made the same mistake in their own code. OpenSSL 0.9.8j was released yesterday to fix a number of bugs within the OpenSSL library where signatures could be accepted incorrectly. According to the OpenSSL advisory, these bugs affect the signature checks on DSA and ECDSA keys used with
SSL/TLS. Clients using unpatched versions of OpenSSL are vulnerable to man-in-the-middle attacks when connecting to SSL/HTTPS servers with DSA certificates. Fortunately, DSA certificates on websites are very rare — we find only 31 third-party-validated DSA certificates in the Netcraft SSL survey.

It is likely that other programs using OpenSSL have made the same mistake. The advisory identifies a number of other affected programs, including NTP, lasso and Sun Grid Engine — in each case, new versions are or will soon be available fixing the bug .